The U.S. Senate is considering a new U.S. federal privacy breach notification law, entitled The Data Security and Breach Notification Act of 2012. The Bill is currently before the Committee on Commerce, Science and Transportation.
If enacted, the Bill would apply to organizations over which the U.S. Federal Trade Commission has authority (“covered entities”). For these organizations, the Bill’s provisions would pre-empt a patch-work of state laws dealing with privacy breach notification. It would not regulate financial institutions or certain health care institutions that are governed by other U.S. federal legislation.
Notably, the Bill recognizes the reality of the outsourcing of data processing and integrates that into a hierarchy of responsibilities so that data breach notification can be implemented in an organized way. The following are some of the highlights of the Bill:
Covered entities who own or licence data in electronic form must provide notification to citizens or residents of the United States whose personal information may have been “accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause, identity theft or other financial harm.”
If the number of individuals involved in the data breach exceeds 10,000, then the covered entity must also notify the U.S. Secret Service or the U.S. Federal Bureau of Investigation.
Third parties who are contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity are required to notify covered entities of security breaches. At that point, the covered entity is responsible for notification to individuals.
Internet service providers and other service providers who route data are required to notify covered entities of security breaches affecting the covered entities’ data if those covered entities can be reasonably identified. Once notified, the covered entities are responsible for notification to individuals.
Notification to individuals is to be made “as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.” However, notification may be delayed in the interests of a criminal investigation or national security.
Generally, notification will be direct notification and may be made by mail, telephone or electronic means. The content of the notice is specific: the date, estimated date, or estimated date range of the breach of security; a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and contact information to find out more about the breach and the information that the covered entity maintains about the individual. If the covered entity does not have sufficient contact information or the cost would be excessive, the covered entity may provide notice by certain substitute means.
The proposed U.S. Bill has a limited reach. It is focused on personal information that is highly sensitive in terms of identity theft and fraud. The definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with any one or more of the following: (a) social security number; (b) driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; or (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
Meanwhile, in Canada, amendments to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) remain stalled. The amendments would introduce privacy breach notification to provinces other than British Columbia, Alberta (which already has privacy breach notification) and Quebec. See my post for a run-down.
When comparing the proposed U.S. and Canadian legislation, one issue that jumps out is that the Canadian Bill is concerned with a broader array of data security breaches. This is not necessarily a good thing.
First, the Canadian amendments do not clearly distinguish organizations that are primarily accountable for personal information from outsourcing companies who may process or store the information and service providers who may route data. Instead any organization who “controls” the data is responsible for data breach notification. ”Control” is not defined. Previously, the Office of the Privacy Commissioner of Canada has concluded that information may still be controlled by an organization even though not in its possession. This makes sense and is consistent with the law in other areas, such as discovery obligations in litigation. However, it is possible that more than one organization may “control” the information. We might productively debate whether a hierarchy of responsibility, such as in the U.S. proposed Bill, would provide clarity and make breach notification more manageable as well as more clearly define who is accountable for the implementation of breach notification.
Second, the Canadian amendments apply to all types of personal information. It will be up to organizations to determine whether the breach is “material” based on assessments of the sensitivity of the personal information. No legislative guideposts are provided with respect to sensitivity. Furthermore, the standard for individual breach notification rests on whether the individual might suffer a real risk of significant harm. The types of harm are broad. If the Alberta experience is indicative of the approach that might be taken federally, the result will be an expansive interpretation of what might constitute a real risk of significant harm. Although the individual breach notification requirement in the proposed U.S. Bill is also related to harm, it is more narrowly focused to identity theft and financial harm. While we might debate whether these protected interests are too narrow, there may be utility in revisiting whether the Canadian law is too vague too provide organizations with meaningful guidance.
The American Bar Association has more on the U.S. Bill here.